Date: Thu, 19 Apr 2018 10:06:22 +0800 From: Julian Elischer <julian@freebsd.org> To: Rick Macklem <rmacklem@uoguelph.ca>, Konstantin Belousov <kostikbel@gmail.com> Cc: Andriy Gapon <avg@FreeBSD.org>, "src-committers@freebsd.org" <src-committers@freebsd.org>, "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>, "svn-src-head@freebsd.org" <svn-src-head@freebsd.org> Subject: Re: svn commit: r332559 - head/usr.sbin/mountd Message-ID: <c04e7bd8-3e74-3922-6e3a-eb20184c2941@freebsd.org> In-Reply-To: <YQBPR0101MB1042E8D110F8DBCE648767A7DDB60@YQBPR0101MB1042.CANPRD01.PROD.OUTLOOK.COM> References: <YQBPR0101MB104243594E51285F229BC11FDDB00@YQBPR0101MB1042.CANPRD01.PROD.OUTLOOK.COM> <20180417123212.GM1774@kib.kiev.ua> <ab24ee87-22f7-d40c-5807-d8a3ed996e54@freebsd.org> <YQBPR0101MB1042E8D110F8DBCE648767A7DDB60@YQBPR0101MB1042.CANPRD01.PROD.OUTLOOK.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
On 19/4/18 5:15 am, Rick Macklem wrote: > Julian Elischer wrote: > [stuff snipped] >> our issue is that we make a server that combines CIFS/SMB access (via >> samba), credential setting from a company wide AD server (windows) >> via winbindd (samba) via nsswitch.. and NFS. >> >> The problem is that when one looks up a user name from the AD server >> One can get back a credential with a large number of groups, because >> some companies use windows groups extensively. SO a sinel user may be >> in a group for every project they are involved with and a method of >> giving them access to files related to a project. >> In this scenario a group manager may be given access to a lot of groups. >> >> A user looking at a file via NFS needs to be able to see what he needs >> and still be blocked as per company policy. >> I am investigating the new user-manager daemon may help but I don't >> fully understand it yet. >> I gather it maps an incoming request to a set of groups as defined on >> the server rather than on the client, but I'm not sure yet how that >> relates to mountd. > I am happy to say I know nothing about AD, but I thought it included an > LDAP service? yes and this what is used when one uses ldap against an AD server. (which seems to work) > If there is a way to configure FreeBSD so that getgrouplist(3) > gets this list of AD groups, then "nfsuserd -manage-gids" on the NFS server > should do what you want. (It takes the "uid" from the AUTH_SYS RPC request > header and then creates a list of groups for that "uid" via getgrouplist(3). > It basically does a getpwuid() and then uses the pw_name as the first arg > to getgrouplist(3). > It ignores the list of groups in the RPC header and, therefore, is not limited > to 16.) yes that is what I was referring to in my previous email getgrouplist(3) does the right thing as far as I know. > > If getgrouplist(3) can't see the set of AD groups, then something needs to be > done to make that work. > > rick > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c04e7bd8-3e74-3922-6e3a-eb20184c2941>